I am trying to provision a new server but get this error
Could not access the challenge file for the hosts/domains: www.domain_hidden.com, domain_hidden.com. Let’s Encrypt requires every domain/host be publicly accessible. Make sure that a valid DNS record exists for www.domain_hidden.com, domain_hidden.com and that they point to this server’s IP. If you don’t want these domains in your SSL certificate, then remove them from site_hosts. See SSL | Trellis Docs | Roots for more details.
I can ping the server’s IP, domain_hidden.com and www.domain-hidden.com. I can provision and deploy successfully without SSL, and with a self-signed certificate. In both cases I get a functioning site (minus the SSL warning in the browser). There is no AAAA record for the site. There is no firewall on the server and none by the provider either.
OK, no AAAA record rules out the classic IPv6 over IPv4 address for validation with Let’s Encrypt issue.
Note that this error message comes from Trellis, that does a check on its own, before actually making Let’s Encrypt validate the domain (this can save quotas).
So when your workstation/CI server that runs Ansible (applies the Trellis playbook) is not able to resolve the domain or fetch the file (fail2ban comes to mind), this pre-check will fail, even when Let’s Encrypt may actually be able to validate:
So check on your workstation/CI server on which Ansible is used to apply the Trellis playbook, whether you can resolve that domain and whether you can request files from that site. It may very well be that you added test records to /etc/hosts or your local DNS server for example, that interferes with fetching the test file from the site by your own workstation/CI server.
I tried again today and it worked, without having changed anything. Not sure what went wrong. The culprit might indeed have been an AAAA record - I had deleted that more than 24h before posting but maybe it hadn’t fully propagated yet.